The rkt container runtime is deprecated and not used anymore except
for the kubelet-wrapper script. This script can't be ported to Docker
because it is used by the user with rkt-specific arguments and it is
only a wrapper around the deprecated hyperkube images (and has been
broken for the last K8s releases). The recommended way is to run the
kubelet binary directly on the host.
The GCE daemon container was run with rkt from an ACI tar ball.
To replace rkt with systemd-nspawn, extract the tar ball to an
image and run the daemon as systemd-nspawn container.
Having the hostname units as required by the initrd.target meant that if
the unit failed (for example because the network was or the metadata
service were down), the machine wouldn't start. By making it a "wants"
rather than a "requires" we allow this unit to fail without disrupting
the whole boot.
We do not need to set COREOS_GO_VERSION to a specific version, unless
it is necessary to avoid build issues in certain cases like Docker.
Simply remove COREOS_GO_VERSION from the ebuild of cri-tools.
- Drop binddist from RESTRICT variable
- Drop pkg_postinst
- Create /etc/ssl with tmpfiles (and package it for the SDK).
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
This change pulls in the latest bootengine version, that enables ISCSI
support in dracut and avoids tearing down the network when using netroot
See https://github.com/kinvolk/bootengine/pull/22 for more information.
This reverts commit f8dda51d546b466d9faf0c936b2ad5592ab1639e.
Recently we dropped `bindist` from `RESTRICT` in openssl, so it is
now possible to turn on `ssl` for wget again. The issue of openssl being
blocked by `masked by: bindist in RESTRICT` etc. has now disappeared.
Fixes https://github.com/kinvolk/Flatcar/issues/149
For some reason, the old version of boost-build 1.67 is still here.
As we already have boost-build 1.75 in portage-stable, we should
completely delete boost 1.67.
Flatcar uses its own network module instead of the Dracut one, but the
iscsi module depends on the network. So, in order to enable the iscsi
module, we need to patch the dependency
We need to customize dracut. Currently the version in portage-stable is
picked because it's newer than the one in coreos-overlay. This commit
updates coreos-overlay to the same versions available in portage-stable.
This pulls in
https://github.com/kinvolk/baselayout/pull/17
to enable the pam_faillock module as replacement for pam_tally2.
The "faillock" binary can be used to see the login attempts and
account lock status which before was available with the pam_tally
command. While the tally defaults did not temporarily lock the
account on wrong password login attempts, this is done by default
with faillock. However, the default behavior was relaxed to allow
more wrong attempts and have a shorter lock time span.
As rkt is deprecated we need to run the Flannel container with Docker
or Podman. The flannel-wrapper script is based on rkt arguments and
can't be used in a compatible way but we cannot remove it since ct
explicitly uses it in the ExecStart directive when writing out a
drop-in file once flannel settings are given in a Container Linux
Config.
A better way to run the Flannel/etcd container image is Podman because
Flannel depends on etcd but wants to be run before Docker so that it
can set up the Docker networking. Etcd and Flannel are part of the
Container Linux Config specification and thus can't be removed easily.
For now we have to resort to running these services with Docker and try
to restart Docker for the Flannel options to take effect (but that also
terminates the etcd and flannel containers, causing the services to
restart).
Since rkt is deprecated we need to run the etcd container with Docker
or Podman. The etcd-wrapper script is based on rkt arguments and can't
be used in a compatible way but we cannot remove it since ct explicitly
uses it in the ExecStart directive when writing out a drop-in file once
etcd settings are given in a Container Linux Config.
A better way to run the Flannel/etcd container image is Podman because
Flannel depends on etcd but wants to be run before Docker so that it
can set up the Docker networking. Etcd and Flannel are part of the
Container Linux Config specification and thus can't be removed easily.
For now we have to resort to running these services with Docker and try
to restart Docker for the Flannel options to take effect.
This commit adds some comments to help other folks to
easily recognize Flatcar-specific code.
Check issue #364 for further details.
Signed-off-by: Jose Blanquicet <blanquicet@gmail.com>
